Pi Hole - network-wide ad blocking
-
This is easy to get on Cloudron indeed. Two outstanding issues are:
- Cloudron currently does not allow apps to use port < 1024. DNS requires port 53. This is fixable, I guess.
- Exposing Pi-Hole on port 53 would mean, anyone can access it, not just you. DNS has no auth mechanism afaik. So, I can start using your Pi-Hole server as well as the DNS. Not sure if that is good/bad. Maybe with some firewall rules we can make it so that it is IP locked.
-
@girish it would be great to have Pi-hole in Cloudron and I agree with you it should be save so it would be great to have it together with WireGuard.
Is it possible to make a Cloudron-app with Pi-hole in VPN so you can make use of it anywhere AND safe!?
Kind regards,
Marcel. -
Upvoted! I'd love to see Pi-hole on Cloudron.
-
I love getting to know more about Pi Hole: blocking ads throughout the network, it is very useful for me that I am starting in this. Thank you
-
Sorry to ask. I don't understand the use case. Why do you need Pi-hole on Cloudron?
For your local network and 53 portforward?
For (potential) ads/bugs inside apps from the appstore?
For your local network with a local Cloudron instance?
??? -
Pi-Hole on Cloudron is useless IMHO for only internal "filtering".
Only in combination with a VPN like WireGuard it's a perfect combination to be online, outside of your 'safe home wifi', without sniffing of mobile providers proxies and "free open wifi", and with a kind of safetynet by Pi-Hole.
@luckow yes I do have a RaspberryPi with Wireguard AND Pi-Hole at home, but as an extra "external" backup its very welcome (and very easy) to have Pi-Hole+WireGuard in a Cloudron app.
-
Actually, one could do this (if you know what you're doing) by offering the pihole externally. In order to be safe, you would want to make sure to whitelist ONLY the IPs coming in to connect to it you intend to allow, otherwise you open your self up to DNS hijacking. I do this now by exposing a pihole on Azure that only my home router can connect to. Works great. FWIW, I took a look at packaging pihole the other day, cause of my use case. It looks...possible, but there are a LOT of moving parts and it really wants some pretty low level access, so, challenges will persist.
-
@imc67 @doodlemania2 Right now I am using this setup on a separate, cloud hosted VM. Wireguard and Pihole, configured so that the system can only be accessed over VPN, not by external parties. Works beautifully and would be so cool, if this was working on Cloudron.
Excellent idea and request. Thanks for bringing this up.
-
Currently, what is holding back pi-hole is a couple of Cloudron limitations:
-
Cloudron reserves port 53 (dns) on the server. Have to fix unbound to listen only on internal interfaces (we listen on 0.0.0.0 and rely on firewall and access control policies to block requests).
-
Some IP based firewall as @savity has been requesting in another thread. This is required to block requests to pi-hole to just your machines/network.
-
-
yeah i mean it would be for me i would never create pihole acessable for others its for private reasons vpn+pihole. So pihole would be listening, lets say on 10.9.0.0
Maybe in the future the idea could to configure other apps only availaie in the same VPN Network